Inline script verification using nonce attribute #106
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request enables inline html scripts generated by this library to be loaded when Content Security Policy is enabled by allowing user to specify a
nonceattribute through the RecaptchaSettings class.Inline html scripts are not loaded when content security policy is enabled unless they have a
nonceattribute containing a unique identifier included in the CPS header or you calculate their hash beforehand and include it in the CPS header or enable inline scripts by adding 'unsafe-inline' value to the CPS header.Hashing is not very practical when the inline scripts contain a unique ID like they do in this case and using 'unsafe-inline' turns off much of CPS defeating its purpose.
The RecaptchaSettings class currently contains a ContentSecurityPolicy property that might have been intended for solving this issue but at the moment it just adds script-src and frame-src attributes to script tags that do not contain inline javascript but are loaded through src attribute which I believe does nothing because the script tag does not even have script-src or frame-src attributes and non-inline scripts can be loaded with CSP enabled by adding the url they are loaded from to the CSP header.